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Abstract — A set of terminals observe correlated data and 
seek to compute functions of the data using interactive public 
communication. At the same time, it is required that the value 
of a private function of the data remains concealed from an 
eavesdropper observing this communication. In general, the 
private function and the functions computed by the nodes can 
be all different. We show that a class of functions are securely 
computable if and only if the conditional entropy of data given 
the value of private function is greater than the least rate of 
interactive communication required for a related multiterminal 
source-coding task. A single-letter formula is provided for this 
rate in special cases. 

Index Terms — Balanced coloring lemma, distributed comput- 
ing, function computation, omniscience, secure computation. 



I. Introduction 

We consider the following distributed function computation 
problem with a confidentiality requirement. The terminals in 
a set M = {l,...,m} observe correlated data, and wish to 
compute functions gi,...,g m , respectively, of their collective 
data. To this end, they communicate interactively over a 
noiseless channel of unlimited capacity. It is required that this 
communication must not reveal the value of a specified private 
function go of the data. If such a communication protocol 
exists, the functions go,gi,-.-,g m are said to be securely 
computable. We formulate a Shannon theoretic multiterminal 
source model that addresses the basic question: When are the 
functions go,gi, ■■■,g m securely computable? 

Applications of this formulation include distributed com- 
puting over public communication networks and function 
computation over sensor networks in hostile environments. 
In contrast to the classic notion of secure computing in 
cryptography lETl . we assume that the nodes are trustworthy 
but their public communication network can be accessed by an 
eavesdropper. We examine the feasibility of certain distributed 
computing tasks without revealing a critical portion of the data 
to the eavesdropper; the function gi, i = 1, ...,m, denotes 
the computation requirements of the ith terminal, while the 
critical data is represented by the value of private function go- 
As an example, consider a data download problem in a sensor 
network. The central server terminal 1 downloads binary data 
from terminals 2, m, while the latter terminals compute the 
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symbolwise maxima. An observer of the communication must 
not learn of the data of terminals 2, m. 

The answer to the general question above remains open. 
The simplest case of interest when the terminals in a subset 
A of M. compute only the private function go and those 
not in A perform no computation was introduced in |[T9l . 
The data download problem, upon dropping the computation 
requirements for terminals 2, ...,m, reduces to this setting. It 
was shown that if go is securely computable (by the terminals 
in A), then 

H(X M \Go) = H(X M )-H(G )>R*, (1) 
and go is securely computable if 

H(X M \Go) >iT, (2) 

where R* has the operational significance of being the min- 
imum overall rate of communication needed for a specific 
multiterminal source-coding task that necessitates the recovery 
of entire data at all the terminals in A; this task does not 
involve any security constraint (see Section [II] for a detailed 
discussion). Loosely speaking, denoting the collective data 
of the terminals by the random variable (rv) Xj^ an d the 
random value of the function go by the rv Go, the maximum 
rate of randomness (in the data) that is independent of Go is 
H (Xm\Go)- The conditions above imply, in effect, that go is 
securely computable if and only if this residual randomness 
of rate H (X_m Go) contains an interactive communication, of 
rate R*, for the mentioned source-coding task. 

In this paper, for a broad class of settings involving the se- 
cure computation of multiple functions, we establish necessary 
and sufficient conditions for secure computation of the same 
form as (HJ and (0, respectively. The rate R* now corresponds 
to, roughly, the minimum overall rate of communication that 
allows each terminal to: 

(i) accomplish its required computation task, and, 

(ii) along with the private function value, recover the entire 
data. 

This characterization of secure computability is obtained via a 
general heuristic principle that leads to new results and further 
explains the results of |fl9l in a broader context. 

Using the sufficient condition ©, we present a specific se- 
cure computing protocol in Section [IV] with a communication 
of rate R*. Under (|2), the secure computing scheme in |[T9l 
recovered the entire data, i.e., the collective observations of 
all the terminals, at the (function seeking) terminals in A 
using communication that is independent of Go- In fact, we 
observe that this is a special case of the following more general 
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principle: a terminal that computes the private function go, 
may recover the entire data without affecting the conditions 
for secure computability. 

Unlike 1 19 j, we do not provide a single-letter formula for the 
quantity R*, in general; nevertheless, conditions (fl~|i and (0 
provide a structural characterization of securely computable 
functions in a broader setting, generalizing the results in |fl9l . 
A general recipe for single-letter characterization is presented 
which, in Example [TJ and Corollary |4]below, yields single-letter 
results that are new and cannot be obtained from the analysis 
in ||l9l . To the best of our knowledge, the general analysis 
presented here is the only known method to prove the necessity 
of the single-letter conditions for secure computability in these 
special cases. Furthermore, for the cases with single-letter 
characterizations, the aforementioned heuristic interpretation 
of R* is made precise (see the remark following Lemma [2] 
below). 

The algorithms for exact function computation by multiple 
parties, without secrecy requirements, were first considered in 
ll20l . and have since been studied extensively (cf. e.g., J8), (9), 
iflCfl ). An information-theoretic version with asymptotically 
accurate (in observation length) function computation was 
considered in |[T6l , ATI . The first instance of the exact function 
computation problem with secrecy appears in 1031 . A basic 
version of the secure computation problem studied here was 
introduced in lfl8l . fl9l ; G) gives an alternative proof of the 
results in lfl8l, |[l9l. 

The problem of secure computing for multiple functions 
is formulated in the next section, followed by our results in 
section Hill The proofs are given in sections [TV] and [V] The final 
section discusses alternative forms of the necessary conditions. 

Notation. The set {1, ...,m} is denoted by M.. For i < j, 
denote by [i, j] the set {i, j}. Let X\, X m , m > 2, be rvs 
taking values in finite sets X\,...,X m , respectively, and with 
a known probability mass function. Denote by Xm the col- 
lection of rvs (X\, ...,X m ), and by X M = (X M ,i, X M ,n) 
the n independent and identically distributed (i.i.d). repetitions 
of the rv Xm- For a subset A of M, denote by Xa the rvs 
(Xi,i £ A). Given Rj > 0, 1 < i < m, let Ra denote the 
sum J2ieA Denote the cardinality of the range-space of 
an rv U by \\U\\. 

Finally, for < e < 1, an rv U is e-recoverable from an rv 
V if there exists a function g of V such that Pr (U = g(V)) > 
1 - e. 



II. Problem formulation 

We consider a multiterminal source model for function 
computation using public communication, with a confiden- 
tiality requirement. This basic model was introduced in J5] 
in a separate context of SK generation with public transac- 
tion. Terminals 1, ...,m observe, respectively, the sequences 
X{\ . . . , X™ of length n. For < i < m, let g, : X M —> y t 
be given mappings, where the sets 3^ are finite. Further, 
for < i < m and n > 1, the (single-letter) mapping 



g? : X M -> y? is defined by 

9ii x M) = (.9i(- T ll: ■ • • j x ml), ■ ■ ■ , gi{xin, ■ ■ ■ i Xmn)), 
X M = ( X l J • ' • J X m) ^ X M - 

For convenience, we shall denote the rv (X M ) by G", n > 
1, and, in particular, G\ = gi (Xm) simply by Gi. 

Each terminal i e M wishes to compute the function 
gf(x M ), without revealing g'o (x M ), x M G X M . To this end, 
the terminals are allowed to communicate over a noiseless 
public channel, possibly interactively in several rounds. 

Definition 1. An r-rounds interactive communication protocol 
consists of mappings 

/ill •••■> firm 3 frlj frrm 

where denotes the communication sent by the jth node in 
the ith round of the protocol; specifically, is a function 
of X™ and the communication sent in the previous rounds 
{fki ■ 1 < k < i — 1,1 € Ad}. Denote the rv corresponding to 
the communication by 

F Fi 1 , . . . , F\ 7n , — , F r i , . . . , F rm , 

noting that F = F^ (X m ). The rat43 of F is i log ||F||. 

Definition 2. For e„ > 0, n > 1, we say that functional 
9m = {9o,9i,-,9m), with private function g , are e„- 
securely computable (e ra - SC) from observations of length n, 
and public communication F = F( n ), if 

(i) Gf is e„- recoverable from (X™, F) for every i 6 M, 
and 

(ii) F satisfies the secrecy condition 

—I (Gq A F) < e„. 

n 

Remark. The definition of secrecy here corresponds to "weak 
secrecy" [TJ, IfTJl . When our results have a single-letter form, 
our achievability schemes for secure computing attain "strong 
secrecy" in the sense of lfT4l . |]4], (6). In fact, when we have 
a single-letter form, our proof in section [IV] yields "strong 
secrecy" upon minor modification. 

By definition, for e„-SC functions gM, the private function 
Go is effectively concealed from an eavesdropper with access 
to the public communication F. 

Definition 3. For private function go, we say that functions 
gM are securely computable if gM are e n- SC from obser- 
vations of length n and public communication F = F("), 
such that lime„ = 0. Figure [T] shows the setup for secure 

n 

computing. 

In this paper, we give necessary and sufficient conditions 
for the secure computability of certain classes of functions 
9m = (90 1 9i, 9m)- The formulation in |19|, in which the 
terminals in a given subset A of Ai are required to compute 

'All logarithms are with respect to the base 2. 

- The abuse of notation gM = (so, 9ii ■■■■> Qm ) simplifies our presentation. 
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Interactive Communication F, \l (F A Gq) « 




Fig. 1 . Secure computation of g\ , . . . , g m with private function go 



(only) go securely, is a special case with 



(go 

9i = < 



i G A, 
constant, otherwise. 



(3) 



It was shown in |fl9l that (Q]i and Q constitute, respectively, 
necessary and sufficient conditions for the functions above to 
be securely computable, with R* being the minimum rate of 
interactive communication F that enables all the terminals 
in M. to attain omniscience (see J6)), i.e., recover all the 
data X M , using F and the decoder side information Gq 
given to the terminals in Ai \ A. In fact, it was shown that 
when condition (f2]i holds, it is possible to recover X M using 
communication that is independent of Gq . 

The guiding heuristic in this work is the following general 
principle, which is also consistent with the results of lH9l : 

Conditions (0) and (0 constitute, respectively, the necessary 

and sufficient conditions for functions gM = (<70j<7lj ••• J <7m) to 
be securely computable, where R* is the infimum of the rates of 
interactive communication F' such that, for each 1 < i < m, 
the following hold simultaneously: 



(PI) 
(P2) 



G" is e n -recoverable from (X",F'), and 
X M is e n -recoverable from (X",Gq,F'), i.e., terminals 
attain omniscience, with Gq as side information that is 
used only for decoding (but is not used for the commu- 
nication F'), 

where e„ — > as n — > oo. 

Thus, (PI) and (P2) require any terminal computing go to 
become omniscient, an observation that was also made for 
the special case in lfl9l . The first condition (PI) above is 
straightforward and ensures the computability of the functions 
gi,...,g m < by the terminals l,...,m, respectively. The omni- 
science condition (P2) facilitates the decomposition of total 
entropy into mutually independent components that include 
the random values of the private function Gq and the com- 
munication F'. For the specific case in ([3j, R* above has a 
single-letter formula. In general, a single-letter expression for 
R* is not known. 

Our results, described in section UTH are obtained by simple 
adaptations of this principle. Unlike lfl9l . our conditions, in 
general, are not of a single-letter form. Nevertheless, they 
provide a structural characterization of secure computability. 



As an application, our results provide simple conditions for 
secure computability in the following illustrative example. 

Example 1. We consider the case of m = 2 terminals that 
observe binary symmetric sources (BSS) with underlying rvs 
X\, X2 with joint pmf given by 

1-5 



Pr(X 1 =0,X 2 =0)=Pr(X l = 1,X 2 = 1) = 
Pr (Xi = Q,X 2 = 1) = Pr (Xi =1,X 2 = 0) = 



2' 



where < 6 < 1/2. The results of this paper will allow us 
to provide conditions for the secure computability of the four 
choices of go,gi,g 2 below; it will follow by Theorem Q] that 
functions go,gi,g 2 are securely computable if 

h(S) < r, 

and conversely, if the functions above are securely computable, 
then 

h(6) < T, 

where h(r) = — r log r — (1 — r) log(l — r), and the constant 
t = t(S) depends on the choice of the function. These 
characterizations are summarized in the next table. Denote the 
AND and the OR of two random bits Xi and X 2 by X 1 .X 2 
and X\ © X 2 , respectively. 



.90 


9i 


92 


T 


X 1 ®X 2 


x 1 ®x 2 


x 1 @x 2 


1/2 


x x ®x 2 


x x ®x 2 




1 


X 1 (S)X 2 , XlX 2 


x l ®x 2 , x x .x 2 


X\.X 2 


2(5/3 


x l ®x 2 


X 1 ®X 2 


X\.X 2 


2/3 



The results for the first two settings follow from |fi9l . The 
third and fourth results are new. In these settings, terminal 1 
is required to recover the private function; our results below 
show that the conditions for the secure computability in these 
cases remain unchanged even if this terminal is required to 
attain omniscience. Note that since h(8) < 1 for all < 
5 < 1/2, there exists a communication protocol for securely 
computing the functions in the second setting. By contrast, a 
secure computing protocol for the functions in the third setting 
does not exist for any < 6 < 1/2, since h(S) > 25/3. □ 

III. Characterization of securely computable 
functions 

In this section, we characterize securely computable func- 
tions for three settings. Our necessary and sufficient conditions 
entail the comparison of H {Xm\Gq) with a rate R*; the 
specific choice of R* depends on the functions gM- Below 
we consider three different classes of functions gM- Although 
the first class is a special case of the second, the two are 
handled separately as the more restrictive case is amenable 
to simpler analysis. Furthermore, for m = 2, the obtained 
necessary and sufficient conditions for secure computability 
take a single-letter form in the first case (see Corollary 2}. 

(1) In the first class we consider, values of all the functions 



4 



gi,...,g m must be kept secret. In addition, at least one of 
the terminals must compute all the functions gi,...,g m . This 
case arises in distributed function computation over a network 
where all the computed values are collated at a single sink 
node, and we are interested in securing the collated function 
values. Alternatively, denoting the function computed at the 
sink node by the private function go, the computed functions 
gi, ...,g m can be restricted to be functions of go. Specifically, 
for < mo < m, and for private function go, let 




i e [l,m ] , 

i £ [m + 1, m] 



(4) 



(2) The next case is a relaxation of the previous model in that 
the restriction gi = gi (go) for i 6 [mo + l,m] is dropped. 
For this general case, our analysis below implies roughly 
that requiring the terminals [l,mo] that compute the private 
function go to recover the entire data X M does not change the 
conditions for secure computability, which is a key observation 
of this paper. 

(3) The last class of problems we study is an instance of secure 
multite rminal source coding, which arises in the data download 
problems in sensor networks where each node is interested 
in downloading the data observed by a subset of nodes. 
Specifically, we consider the situation where each terminal 
wishes to recover some subset X M . of the sources where 
M l CM\ {»}, i.e., 



(5) 



This last case appears to be disconnected from the previous 
two cases a priori. However, our characterizations of secure 
computability below have the same form for all cases above. 
Moreover, the same heuristic principle, highlighted in (PI) and 
(P2), leads to a characterization of secure computability in all 
three cases. 

The necessary and sufficient conditions for secure com- 
putability are stated in terms of quantities -R*(<?x), i = 1,2, 3, 
which are defined next. The subscript i corresponds to case 
(i) above. In particular, the quantity R* corresponds to the 
minimum rate of communication needed for an appropriate 
modification of the source-coding task in (PI), (P2). Below 
we give specific expressions for R*, i = 1,2,3, along with 
their operational roles (for a complete description of this role 
see the sufficiency proof in Section HV) . 

Denote by TZ\ (g^vi) the closure of the (nonempty) set of 
pairs^l 



1 



for all n > 1 and interactive communication F, where 

1 1 m 

R%> = -H(F) + - V H(G*\X?,-F) + w£R M , (6) 
n n * — ' 

i— mo + 1 

with the infimum taken over the rates Ri,...,R m satisfying 
the following constraints: 

3 The first term accounts for the rate of the communication and the second 
term tracks the information about Gg leaked by F (see (TT)) below 



(la) V£ C M, [l,m ] £ C 
1 



Rc>-H[X2\X^ C ,F 



(lb) V£ C M, [l,m ] C C, 
1 



Rc > -ti yx c \x M ^ c ,G ,t 

The quantity inf„.F R^ corresponds to the solution of a 
multiterminal source coding problem. Specifically, it is the 
infimum of the rates of interactive communication that satisfy 
(PI) and (P2) above (see (3 Theorem 13.15], JU). 

Next, let (gjw) denote the closure of the set of pairs 



4 2; ,-/(G l AF) 



for all n > 1 and interactive communication F, where 



R 



(2) 



1 



ff(F)+inf R' [mo+1 . m] +R M 



with the infimum taken over the rates Ri,...,R n 
R' +1 , ■■■,R' m satisfying the following constraints: 
(2a) V£ C M, [I, m ] £ C, 



(7) 
and 



(2b) for mo < j < m, 



1 



R' 3 >-H{G-\X^Y) 

(2c) V£ C M, [1, mo] C C, and £' C [mo 4 
C^M or C ^ [m + l,m], 



1 , ml with either 



Rc +Rc>~n I A £ |G [mo 



(2) 

The quantity inf„.F Rp corresponds to the solution of a 
multiterminal source coding problem, and is the infimum of 
the rates of interactive communication F' that satisfy (PI) and 
(P2) above, and additionally satisfies: 

(P3) X^ is e„- recoverable from (G", G \ F'), m < j < m. 

This modification corresponds to the introduction of m — mo 
dummy terminals, with the jth dummy terminal observing G™, 
m o < j < m (see section IVB : the dummy terminals can be 
realized by a terminal i in [1, ...,mo] that recovers Xj^ from 
(X",F). The conditions (P2) and (P3) above correspond to 
the omniscience at the terminals in the extended model, with 
Go provided as side information only for decoding. 

Finally, denote by TZ% [gjvi) the closure of the set of pairs 

4 3) ,i/(G 'AF) 
n 



for all interactive communication F, where 



R 



(3) _ 



-H(F)+MR 



Mi 



(8) 



with rates Ri,...,R m satisfying the following constraints: 
(3a) For 1 < i < m, V£ C M t C M \ {i}, 
1 



R c > 



5 



(3b) V£ C M, 

Rc > -ti \x c \x M \ c ,G ,t 

As before, the quantity inf„ F -Rp corresponds to the infimum 
of the rates of interactive communication that satisfy (PI) and 
(P2) above. 

Our main result below characterizes securely computable 
functions for the three settings above. 

Theorem 1. For i = 1, 2, 3, with functions <?o,5i, ■■■,g m os in 
the case (i) above, the functions gM ® re securely computable 
if the following condition holds: 



H (X M \G ) > R*(9. 



Mi 



(9) 



Conversely, if the functions above are securely computable, 
then 



H (X M \G ) > R*(g. 



M, 



(10) 



where 



R*(g M )= inf x, i = 1,2,3. (11) 

(x,0)£-R*(g M ) 



Remark. Although the first setting above is a special case 
of the second, it is unclear if for gM in (0]i the quantities 
R\(9m) an d R 2 (9m) are identical (also, see Section IVD . 
In general, the multi-letter characterizations of secure com- 
putability of gM above can have different forms. For case 
(1) with nri — 2, Corollary @] below provides a single-letter 
formula for R\(gM)- However, a similar single-letter formula 
for i?2 (9 m ) is not known. 

Theorem Q] affords the following heuristic interpretation. 
The quantity H (Xm\Gq) represents the maximum rate of 
randomness in X M that is (nearly) independent of GfJ . On the 
other hand, R* {qm) is an appropriate rate of communication 
for the computation of qm\ we show that latter being less than 
H (Xm\Gq) guarantees the secure computability of gM- 

Although the characterization in Theorem [T] is not of a 
single-letter form, the following result provides a sufficient 
condition for obtaining such forms. Denote by inconstant' * = 
1,2,3, the quantity R F for F = constant. 

Lemma 2. For case (i), i = 1,2,3, if for all n > 1 and 
interactive communication F 



then R* (gj^) = R, 



* — * ^constant! 

_ • r p(0 

km! — mi n.F ' ' p • 



(12) 



The proof is a simple consequence of the definition of 
R* (gM) m ( fTTT l. Note that i?constant h as a single-letter form. 

Remark. As mentioned before, the quantity inf „ f R^ is the 
infimum of the rates of interactive communication that satisfies 
(PI), (P2) for i = 1,3, and satisfies (P1)-(P3) for i = 2. Thus, 
when the conditions of Lemma [2] hold, we have from Theorem 
Q] that gM securely computable if 



H (Xm \Gq) > R, 



(t) 



and if gM securely computable then 

H (Xm\Gq) > R, 



constant ) 



(i) 

where inconstant is the minimum rate of communication that 
satisfies (PI), (P2) for i = 1,3, and satisfies (P1)-(P3) for 
i = 2. 

As a consequence of Lemma [2] we obtain below a single- 
letter characterization of securely computable functions, with 
m = 2, in a special case; the following lemma, which is a 
special case of J7] Lemma B.l] (see also lfP2l Theorem 1]), is 
instrumental to our proof. 

Lemma 3. Let m = 2. For an interactive communication F, 
we have 

H(F) > H (F\X{ 1 ) + H (F\X" 2 l ) . 

We next consider case (1) for two terminals. 

Corollary 4. For m ~ 2, for functions go, gi,g2 with g\ = go 
and 92 = 92 (50). we have 

Rl (g M ) = H (X 2 \X 1 ) +H{G 2 \X 2 ) + H (X x |X 2 , Go) . 

(13) 

Proof: The constraints (la) and (lb) satisfied by rates 

(i) 



R\ , i?2 in the definition of i? F ' are 



R 2 > ±H(X2\X?,F), 
n 

Ri > ^h(x?\xz,g%,f), 



which further yields 



4 X) = -[H(F)+H(G%\X2,F) 
n 



1 



-H (X%\X^ F) + H (X?\X?, G \ F)] . (14) 



Thus, inconstant equals the term on the right side of ([T3V Upon 
manipulating the expression for Rp above, we get 



4 X) = - [H(F) - H (F|XD - H (F|X 2 n , Gq] 



-I{G n 2 AF\X 2 



R 



(i) 



(15) 



Further, since H (G 2 |G ) = 0, it holds that 

I (G^ A F|XJ) < I (Go A F|XJ) 
which along with (fT3T > yields 



4 X) > 



1 



n 

>R 



H(F) - H (F|AT") - H (F\X%) 
(l) 



R, 



in 



where the last inequality follows from Lemma [3] The result 
then follows from Lemma [2] □ 

We next derive simple conditions for secure computability 
for the BSS in Example [T] 

Example 2. Consider the setup of Example Q] with go = 
91 = X x X 2 ,X X .X 2 and g 2 = X X .X 2 . By Corollary E] 
and the observation H (G 2 \X 2 ) = h(S)/2, we get R\ (gM) = 
3h(S)/2. Since H{X 1 ,X 2 \ G ) =H(X 1 ,X 2 \ X x ® X 2 ) - 
H (X\.X 2 I Xi®X 2 ) — 8, the characterization of secure 
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computability claimed in Example [TJ follows from Theorem 
ID □ 

Example 3. In the setup of Example Q] consider go = .9i = 
X\ © X 2 and g 2 = Xi.X 2 . This choice of go, g\,gi is an 

instance of case (2) above. For an interactive communication 

(2) 

F, the constraints (2a), (2b), (2c) in the definition of R F , 
upon simplification, reduce to 

Ri > -hwii;,g;,g;,f), 

n 

R 2 > iiT(X 2 "|X?,F), 
R. 1 +R 2 > ±H(X?,X$\GS,G%,F), 
R' 2 >^H(G%\X2,F). 

Therefore, inf [Ri + R 2 + R' 2 ] with Ri,R 2 ,R' 2 satisfying 
(2a), (2b), (2c), is given by 



H(X?\XS,G%,G2,F) 
+ max {H (X? F),H {X?\X? , F) } 

+ H(G 2 l \X> 2 \F) 



which further gives 

max {H {X%\G n , G 2 , F) , H (X^\X[ l , F)} 



0(2) _ 1 
rip — — 

F n 



+ H(G n 2 \X2,F) 

It follows from H (X?\X$, G l , G 2 , F) = that 
= ff (G 2 |X 2 ) 



(16) 



7? 



(2) 



+ max {if (X 2 \G , G 2 ) , H (X 2 \X{)} 



h(6) 



max{S,h(S)} = -h{S), 



(17) 



2 2 
as /i(<5) > 5 for < 5 < 1/2. 

Next, note from (fTol i that for any interactive communication 

F 



i?F 2 ' > ~[H(F) + H (X2\X?,F) + H(G%\X2,F)) 

= ±[H(F) + H(X2\X?) 

-H (F\X^) + H {G r 2 l , F\X r 2 L ) - H (F|X£)] 

> - [H{F) - H {F\X?) - H {F\X%)\ 



1 



+ H (G 2 \X 2 ) + H {X 2 \X{j 
>H(G 2 \X 2 )+H(X 2 \X 1 ) = h(S), 



(18) 



where the last inequality above follows from Lemma [3] The 
characterization in Example [TJ follows from (TTTt , (TT81 , and 
H (Xi, X 2 \Go) = 1, using Lemma [2] and Theorem Q] □ 

IV. Proof of sufficiency in Theorem[T| 
Sufficiency of ^ for i = 1: We propose a two step protocol 



for securely computing g , gi, g m . In the first step, for 
sufficient large N, the terminals [1, mo] (<?cr see ki n g termi- 
nals) attain omniscience, using an interactive communication 
F" = F" that satisfies 



^(g;af")< £ , 



(19) 



where e > is sufficiently small. Next, upon attaining 
omniscience, one of the terminals in [1 , mo] computes the 
following for mo < j < m: 

(i) Slepian-Wolf codewords Fj = Fj (G^j of appropriate 
rates R'- for a recovery of Gy 4 by a decoder with the 
knowledge of Xf and previous communication F", and 



(ii) the rvs Kj = Kj (X 



N \ 



of rates that satisfy: 
1 



N 



Kj A Gq , F", j 



K, 



N 



:H(K, 



R'4 



lm 



<J<J-1 



< e. 



< e. 



(20) 
(21) 



Note that Kj®Fj denotes the encrypted version of the Slepian- 
Wolf code Fj, encrypted with a one-time pad using the secret 
key (SK) Kj. Thus, terminal j, with the knowledge of Kj, can 
recover Fj from Kj © Fj, and hence can recover G^ . The 
operation Kj © Fj is valid since the SK Kj has size greater 
than \\Fj\\. Furthermore, we have from (|T9l and (|2H that 

<j<rn / 



N 



- TV 



< 



E 



j=m + l 



G^A 
1 

iV 



{Kj® 
log ||^ 



,} 

Jm 



<_7<m 



+ £ 



if fjf 3 -ffi#j I F", jifj © Fj j 



AT 



m <i<j—l 



1 b 



* E 



if, © Fj I F' 



m <i<j — 1 



' b 



2e 



E 

j=m + l 



1 

iV 



- H 
< 3me. 



K, 



H(Kj) 
F",{ 



Ki®F; 



lm 



N 



<i<j-l 



2e (22) 



where the third inequality above uses (|20T i and the last inequal- 
ity follows from (1211 . The equality in ( 1221 follows from the 
fact that Fj = Fj (Gy 1 ) is a function of Gq, since Gj is a 
function of Go- We note that this is the only place in the proof 
where the functional relation between Gw and Go is used. 



Thus, the communication \F , Kj © Fj, mo < j < m 
constitutes the required secure computing protocol for gM 
It remains to show the existence of F" and Kj, mo < j < m 
that satisfy <|T9b-(l2Tb. 

Specifically, when (O holds for i = 1, we have from 
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the definition of i?* (gjn) in (fTTb that for all < e < e 
(eo to be specified later), there exists n > 1 and interactive 
communication F = F (X?, ) sucn that 

-I(GffAF)<e, (23) 



and 



i?p J) < R{ (j9m) + 2' 



where i?p is as in (O. This further implies that there exist 
Ri, ...,R m satisfying (la) and (lb) (for F) such that 

1 1 TO 

- ff ( F ) + - E ^(G J "|x;,F)+i? A ,<i?n 



(24) 



Choosing 



eo < H (X M I G ) — i?i (<7mI 



for some 6 < H (X M \ G ) — R\ ((/.m), we get from ( 1231 and 
(l24l upon simplification: 

rn 

- ^ ff(G? \X?,F)+R M + 5< -R{X n M |Gfi,F). 



(25) 



Next, for k > 1, denote by F fc = (Fi,...,Ffc) the i.i.d. rvs 
Fi = F (X MMi _ 1)+1 , ...,X Myni ), 1 < i < k. Further, 
let N = nk. In Appendix A, we follow the approach in 
the proof of |[T9l Theorem 5] and use (l25T l to show that for 
sufficiently large k there exists an interactive communication 
F' = f (X$) of overall rate R M + 8/2 that satisfies the 
following: 

X]% is e-recoverable from (Xf , F k , F') for 1 < i < m , 

and from (Xf , F fc , G$ , F') for m < i < m, 

(26) 



and further, 



1 

N 



l(G^,F k AF') < e. 



(27) 



The proposed communication F" comprises F',F fe , and con- 
dition ( fT9l follows from ( f23l and (l27T i. Finally, we show the 
existence of Fj and ifj, mo < j < m, as above. From the 
Slepian-Wolf theorem 07), there exist rvs Fj = Fj (Gf) of 
rates 



^<^H(Gf |jrf,P*) 



2m' 



(28) 



such that (7^ is e-recoverable from (X^, F fc , FjJ , mo < 
j < m, for k sufficiently large. Suppose the rvs 
ifj of rates R' ma+1 , R' mo+2 , R^, re- 
spectively, satisfy (120b and (|2TT > for some j < m — 1. Denote 
by F'(j') the communication LF',.Kj ©F,,mo < i < j of 
rate i?W that satisfies 



(29) 



i-mo+1 



We have from (T25)-(|25) that 

^ +1 <Iff(X£|G^F fe )-i?«. (30) 

Heuristically, since Xj^ is recoverable from (X^_ 1 , F k , F'), 
(f30b gives 



iV 



« ±H(X& | G^,F fc ) - lif (F'(j) | GQ,F k ) 
>^H(X^\G^F k )-R^ 

> R'j+i- 

Thus, a randomly chosen mapping Kj+i = Kj+i (Xj^-J of 
rate is almost jointly-independent of Gq , F k , F'(j) (see 
ID). This argument is made rigorous using a version of the 
"balanced coloring lemma" (see 0, J6)) given in Appendix 
B. Specifically, in Lemma EH set U = X$, U' = Xf +l , 
V = Gq, F k , h = F'(j), and 



U 



M 



x%t=^ + l {xf +1 J'{x N M ),F k , g -{x N M )) 



for some mapping ipj+i, where /' (Xj^J = F' is as in ( l26l ). 
By the definition of F', 

Pr (U 6 U ) > 1 - e, 

so that condition (IBlll fi) preceding Lemma IB II is met. Con- 
dition (IBlK ii). too, is met from the definition of Uq, h and 
V. 



Upon choosing 



d 



cxp 



k(H(Xh\G%,F) 



nS 
2m 



in ( IB2I ). the hypotheses of Lemma IB II are satisfied for ap- 
propriately chosen A, and for sufficiently large k. Then, by 
Lemma IbTI with 



[exp(7Vi?; +1 )] 



exp 



AAR( J '))j 



and with Kj+\ in the role of <fi, it follows from dB4b that there 
exists rv Kj+i = Kj+i (Xj^jJ that satisfies < f20b and (fJTJ, 
for k sufficiently large. The proof is completed upon repeating 
this argument for mo < j < m. □ 

Sufficiency of (O for i = 2: The secure computing protocol 
for this case also consists of two stages. In the first stage, as be- 
fore, the terminals [l,mo] (go" see king terminals) attain omni- 
science, using an interactive communication F" = F" (Xj^J. 
The second stage, too, is similar to the previous case and 
involves one of the omniscience-attaining terminals in [l,mo] 
transmitting communication Fj = Fj (Gj) to the terminals 
j, for mo < j < in. However, the encryption-based scheme of 
the previous case is not applicable here; in particular, (|22| ) no 
longer holds. Instead, the communication Fj now consists of 
the Slepian-Wolf codewords for G^ given X^, and previous 
communication F". We show below that if (O holds, then 



8 



there exist communication F" and Fj, mo < j < m, of 
appropriate rate such that the following holds: 



— / (Gq A F", F mo+ i, ...,F„ 



< e, 



for sufficiently large N. 

Specifically, when (O holds for i = 2, using similar manip- 
ulations as in the previous case we get that for all < e < eo, 
there exist interactive communication F = F (X M ), and rates 
Ri,...,R m ,R' mo+1 ,...,R' m satisfying (2a)-(2c) (for F) such 
that 

-7(G£AF)<|, 

and 



Rm + R[ 



[mo+l,m] 



+ 8<-H(X M \G^F), (31) 



with S < H (X M | G ) -Rl {qm) - eo; (ED replaces (|25j in 
the previous case. 

Next, for N = nk consider 2m — mo correlated sources 



Xj , 1 < j < m, and Gj, mo < j < m. Since 



Ri,...,Rm,,R' mo+1 ,...,R' m satisfy (2a)-(2c), random map- 
pings F'j = F'j (X^) of rates Rj, 1 < j < m, and 

Fj+m-mo = Fj+m-mo ( G f) of mteS R 'j< m < j < m 

satisfy the following with high probability, for k sufficiently 
large (see @ Lemma 13.13 and Theorem 13.14]): 



< m, X r jj{ is e-recoverable from 



G"; 



is e-recoverable from 



(i) for 1 < i 
{F{, . ., F' m , F fc , Xf k ); 

(ii) for mo < j < r, 
( Tpk vnk\ • 

\ r j+m-m i r )' 

(iii) for mo < j < m, X'^ is e-recoverable from 
(F',F k ,X^ k ,G^ k ) and from (F', F k , G] k , G lfc ), 

where F fe = (Fi,...,Ffc) are i.i.d. rvs Fi = 
F (X M ,n(i--L)+x, -,XM,m), 1 < i < k. It follows 
from OTb in a manner similar to the proof in Appendix A 
that there exist communication Fj, 1 < j < 2m — mo as 
above such that 

—I (G' Q lk A F', F fc ) < e, 

nk 

for sufficiently large k. 

The first stage of the protocol entails transmission of 
F fe , followed by the transmission of F[, ...,F^ n , i.e., F" = 
(F k , F{, i 7 "™). The second stage of communication Fj is 
given by F' j+m _ mo , for m < j < m. □ 

Sufficiency of (O for i = 3: Using the definition of R^ (gM) 
and the manipulations above, the sufficiency condition (|9]l 
implies that for all < e < eo, there exist interactive 
communication F = F (X M ), and rates R±, R m satisfying 
(3a), (3b) (for F) such that 

-I(G l A F) < ^, 



and 



R M +S< -H(X M | G" Q ,F), 



(32) 



for 6 < H(X M | G ) - i?3 (g M ) ~ ^o- Denoting by F fc 



(F 1; ...,F fc ) the i.i.d. rvs F, 



F (x n f. ^.A 1 < i < k, 

\ n(l-l)+lj' — — ' 

it follows from (3a) and (3b) that for N = nk the random 
mappings F[ = F( (XJ lk ) of rates Ri, 1 < i < m, satisfy the 
following with high probability, for k sufficiently large (see 
Lemma 13.13 and Theorem 13.14]): 

(i) for i e M, Xffi, is e-recoverable from (F', F fe , X™ k ); 

(ii) for i 6 A4, X r jJ[ is e-recoverable from 
(F',F k ,Xf,G^ k ). 

From ( |32t , the approach of Appendix A implies that there 
exist FL i £ M., as above such that 



1 

nk 



-^-1 (G' lk A F', F fc ) < e, 



for sufficiently large k. The interactive communication 
(F'jF' 8 ) constitutes the protocol for securely computing gM, 
where gi (Xm) = ^Mi ,i S M. □ 

V. Proof of Necessity in TheoremQ] 

Necessity of ( UOl ) for i = 1: If functions gM are securely 
computable then there exists an interactive communication F 
such that G" is e„ -recoverable from (X", F), i G A4, and 



-J(GJAF) <e n , 



(33) 



where e n — > as n — > oo. It follows from the Fano's inequality 
tha0 

ifr(G?|Jf < n ,P)<cie nj ieM (34) 
n 

Using an approach similar to that in |j6j, we have from (133V 

^H{X n M ) 

= -H(G^F) + -H(X M \G \F) 

n n 

> (Go 1 ) + (F) + (X M | G ", F) - e„, (35) 

= -H (G%) + - H (F) + -J2h (X? I Xfo_ 1} , Gq, F 
n n n *- — ' V 

i— 1 

-e„. (36) 

Next, for £CM, with [l,mo] ^ C, we have 



1^ (x 2 | 



X 



M\C 



F 



-ff (Gq | X M \ C ,F 



= ±-h(x2\x m ^,gz,f) + ± 

<±H(xi\X MXC ,G n ,F)+c x e n , 

where the last step follows from (l34t and the assumption that 
.9; = go for i & [l,mo]. Continuing with the inequality above, 
we get 

1 



< 



HlX2\X M ^,F 



±Y,[ H (xri AAi]' G oNF)+ Cl e„ 



(37) 



4 The constants c\ , C2 , C3 , C4 depend only on log 1 1 Xj*\ 1 1 , m, mo (and not 
on n). 
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Letting 

Ri = hi (X? | X^ 1} , Gq, f) + Cl e„, i G Ai, 

by d37] i Ri,...,R m satisfy (la) and (lb) for F, whereby it 
follows from ( |34l and d36t that 

-ff (-^.M I Go) 

1 1 TO 

>-H(F) + - J2 H {G™ \ X^¥) + R M - c 2 e n 



i-mo + 1 

where F satisfies ([33). Taking the limit n — > oo, and using the 
definition of i?J (g M ) we get H (X M \ G ) > Rl {qm) ■ □ 

Necessity of ( I70l ) /or i = 2: If gM are securely computable, 
the approach above implies that there exists an interactive 
communication F satisfying d33l and (f34-b such that, with 



| X^._ 1V G%,¥) + Cl e n , 1 < i < m , 



-if | X [ ™ i _ 1]) G ! J^ o+lij _ 1]) G ! l ,Fj +c 1 e„, 

mo < i < m, 
-Rj = cie„, m < j < m, 
we have by d35D . 

■ff (Xm I G ) 

>-H(F) + -H(X M \G^F)-e n 
n n 



i=l 

, m 

+ — ^ I ^[l,i-l]>^lmo+l,i-l]> G 0) F ) _ £ r 



!'=m + l 



(38) 



- + RM + %n +l,m] ~ c 3 e » 

Furthermore, (l34t and the assumption <?j = <?o> 1 < * < m o> 
yield for [1, m ] £ C M that 

-i? | 



ff Xf |X,« ^GJ.F + Cl e 



^ (-^7 I ^[Vi]'^ho+M-i]'^0'^) +cie n 

= ifc, (39) 

and similarly, for [l,mo] C £ C A4, £' C [mo + 1, m], with 
either C =/= M or £ ^ [m + 1, m] that 

-/i ^<j-£,, ^z;|*j[ mo +i, m ]\£' , ^o i * 

_ tt ( Y n \r in v n r< n t? 

— ^ A £l (j [m l , + l,m]\£'. A M\£i (j 0^ 



<Rc + R' c >, (40) 
Therefore, (f39), C23 and (gD) imply that R 1 ,...,R rn , 



R' m , . . . , R' m satisfy (2a)-(2c) for F, which along with 
yields 

H(X M | Go) > R^ - c 3 e n , 

where Rp 2 ' is as in (0, and F satisfies 031 . which completes 
the proof of necessity (fTOb for i = 2 upon taking the limit 
n — > oo. □ 
Necessity of ( TTOl ) /or i = 3: If the functions gM in (0 are 
securely computable then, as above, there exists an interactive 
communication F that satisfies (l33l and (1341 . Defining 

i?, = ii7 (x™ | X^^f) +cie„, * G X, 
similar manipulations as above yield 



1 



H (X M | G ) > -H(F) +R M - citr. 



(41) 



Further, from (l34l we get that R\,..., R m satisfy (3a) and (3b) 
for F. It follows from (HTJ that 

H(X M | G ) > Rp ] - c 4 e„, 

where i? F 2 ' is as in (J8j, and F satisfies d33l , which completes 
the proof of necessity ( fTOb for i = 3 as above. □ 

VI. Discussion: Alternative necessary conditions 

FOR SECURE COMPUTABILITY 

The necessary condition ([Tol l for secure computing given in 
section ITTT1 is in terms of quantities RjZ ', i = 1, 2, 3, defined in 
©, 10, ®, respectively. As remarked before, for i = 1,3, the 
quantity infF Rp is the infimum over the rates of interactive 
communication that satisfy conditions (PI) and (P2). However, 
this is not true for i = 2. Furthermore, although i = 1 is 
special case of i = 2, it is not clear if the necessary condition 
< TT0b for i = 2 reduces to that for i = 1 upon imposing the 
restriction in (0). In this section, we shed some light on this 
baffling observation. 

First, consider the functions gM in ®- F° r this choice of 
functions, denoting by Rq the minimum rate of interactive 
communication that satisfies (PI) and (P2), the results in |[T9l 
imply that (Q~|) constitutes a necessary condition for secure 
computability, with R* = Rq. 

Next, consider an augmented model obtained by introducing 
a new terminal m + 1 that observes rv X m+ i = ci(Xm) 
and seeks to compute <7 m +i = 0. Further, the terminal does 
not communicate, i.e., observation X" l+1 is available only for 
decoding. Clearly, secure computability in the original model 
implies secure computability in the new model. It follows from 
the approach of |[T9l that for the new model also, ((TJ consti- 
tutes a necessary condition for secure computability, with R* 
now being the minimum rate of interactive communication 
that satisfies (PI) and (P2) when terminal m + 1 does not 
communicate; this R* is given by 

max{H(X M \g(X M ),G ),I%}. 
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Note that the new necessary condition (0 is Then it would follow from ( 1AU . (lA2t . and definition of Zm 

H (X M | G ) >R* Q = max{H (X M \ g(X M ),G ) , R* a }, 

which is, surprisingly, same as the original condition PrNlM G J M : X M is e-recoverable from 

H(X M | G ) > R* . (x? k ,Z*,j M \{i} (Xm\{h)) ,i£M, and 

Our necessary condition <|T0) for i = 2 is based on a , k Qnk k . 1 \ >l ( _ £ , 

similar augmentation that entails introduction of m — mo new n fc ^ M > ' / J y — 

terminals observing s rao+ i(I w ),...,. g m (to be used , 

, „ , ,. . xr , , • j.j, • This shows the existence of a particular realization F of J m 

only tor decoding). Now, however, this modification may result , . „ , , -, r 



in a different necessary condition 

Appendix A 



that satisfies d26T > and (l27l i. 

It now remains to prove (IA3t . Defining 



From d25}, we have J% = ljM\{i} 6 «Zm\M : -^.m is e-recoverable from 

(\rnk ryk ( \rnk \ \ 



nR M + d -<H(X M | G£,F) 



where Ri,...,R m satisfy conditions (la) and (lb). For each 

i and R t > 0, consider a (map-valued) rv j, that is uni- we have by (TAJ} that Pr [J M \{i} G Ji) > 1 — e. It follows 



formly distributed on the family Ji of all mappings X^ — > that 
{1, . . . , \exp(knRi)]}, i G M. The rvs J 1; ...,J m ,X^ are 



taken to be mutually independent. Prl Mm ^ Jm '■ 

Fix e, e', with e' > me and e + e' < 1. It follows from _^ 
the proof of the general source network coding theorem [0 — I (ji(X™ k ) A G^ k , F k , jM\{i\ \ -^M\U\) ) — — 

Lemma 13. 13 and Theorem 13. 14] that for all sufficiently large nk \ l JJ m 

k, <e+ Pr ( J M \{i} = JM\{i}) V {.]M\{i}) , 

since Jj is independent of Jx\{i}, where p (jM\{i}) is 

1 defined as 

1 - e, 

(Al) PrjiiiSJi: 



1 JjVf € Jjm : -X">t is e-recoverable from 

(x?\j MX{i} (X% x{i} ),zf),i£ MVj> 



where, for i <E A4, 1 

V, j€[l,m ], 



e 

> — 



Z k 



-I (ji{Xf) A Gf ,F fe ,iM\ W (*#\{< } )) 
(F fe ,Gg fc ) , mo < j < m. Thus, (IA3b will follow upon showing that 

Below we shall establish that p (j M ^ {i} ) < - - e, j M \ {i} G J, (A4) 



Pi" [i^ M e ^ M : ^fc 1 Om(Xm) a G% k ,F k ) > ej^ < e', for ^ fc sufficie ntly large. Fix G J*. We take 

(A2) recourse to Lemma IB II in Appendix B, and set J7 = X^, 



for all fc sufficiently large, to which end it suffices to show 
that 



(A2) recourse to Lemma IB II in Appendix B, and set U = X r M , 

U> = Xr fc , V = (Gf, F k ),h = j MW} , and 



Pr( Mm e Jm ■ 

±.l(MX? k )AGf,F k ,j MX{l} (Xft m )) > ± 



"0 = < X M G X M -x M = ipi\ x i ,jM\{i} \ x M\{i} ) ' 



F k (^) !So "(^)l(m„<Km)) 



for some mapping ipi. By the definition of Ji, 



c 



<—, i&M, (A3) Pr(J7 G Wo) > 1 - e, 



since so that condition dBlK i) preceding Lemma IB II is met. Con- 

dition dBlK ii). too, is met from the definition of Uo,h and 
V. 



I( JM (X^)AGf,F k ) 

m 

= J2l {.h (Xf) A Gf, F k | h (X? k ) , . . . , (X&)) Upon choosing 



i=i 

< 



^/(i, (X? k )AGf,F k ,j MW} (X^ W} )) 



H (X M \G^F) - S - 



i=l 



d = cxp 

in ( IB2I ). the hypotheses of Lemma IB II are satisfied, for 
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appropriately chosen A, and for sufficiently large k. Then, by 
Lemma IbTI with 



|~cxp (knRi)~\ 



[exp (knR M \i)) 



and with Ji in the role of <fi, ( IA4b follows from (IB3b and 
(H. □ 

Appendix B 

Our proof of sufficiency in Theorem[T]requires random map- 
pings to satisfy certain "almost independence" and "almost 
uniformity" properties. The following version of the "balanced 
coloring lemma" given in |fl9l constitutes the key step in the 
derivation of these properties. 

Consider rvs U,U',V with values in finite sets 14,W,V, 
respectively, where U' is a function of U, and a mapping 
h : U {1, ...,r'}. For < A < 1, let U be a subset 
of U such that 

(i) Pr([/eW ) > 1-A 2 ; 

(ii) given the event {U € U Q ,h(U) = j,U' = u',V = v}, 
there exists u = u(u') G Uq satisfying 

Pr (U' = u | h(U) = j, V = v, U £ U a ) 
= Pr (U = u h(U) = j, V = v, U E Uq) , (Bl) 

for 1 < j < r' and »SV. Then the following holds. 

Lemma Bl. Let the rvs U, U 1 , V and the set Uq be as above. 
Further, assume that 



(«,«) :Pr(U = u | V = v) > ^ 



(B2) 



Then, a randomly selected mapping (f> :IA' — > {1, . . . , r} /a;7s 
to satisfy 

r 

^2^Pt (h{U) =j, V = v)x 
j=i tiev 



E 



53 Pr (f 7 ' = «' I Ku) =j t v = v)-- 



u'eW: 



< 14A, 



(B3) 



with probability less than 2rr'\V\ exp ( — J /or a constant 
c> 0. 



Remark. Denoting by s^or the left side of ( IB3I ), it follows 
from [;6] Lemma 1] that 

logr - H{4>{U)) + I(4>{U) A h(U),V) < s var log—. 
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Since the function f(x) = x\og(r/x) is increasing for < 
x < re, it follows from (IB3b that 

\U\ 



logr — H((f>(U)) + I(<fi(U) A h(U),V) < 14Alog 
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